Critical Fedora 40 RapidJSON Fix for Privilege Escalation Vulnerability
Summary
RapidJSON is a fast JSON parser and generator for C++. It was
inspired by RapidXml.
RapidJSON is small but complete. It supports both SAX and DOM style
API. The SAX parser is only a half thousand lines of code.
RapidJSON is fast. Its performance can be comparable to strlen().
It also optionally supports SSE2/SSE4.1 for acceleration.
RapidJSON is self-contained. It does not depend on external
libraries such as BOOST. It even does not depend on STL.
RapidJSON is memory friendly. Each JSON value occupies exactly
16/20 bytes for most 32/64-bit machines (excluding text string). By
default it uses a fast memory allocator, and the parser allocates
memory compactly during parsing.
RapidJSON is Unicode friendly. It supports UTF-8, UTF-16, UTF-32
(LE & BE), and their detection, validation and transcoding
internally. For example, you can read a UTF-8 file and let RapidJSON
transcode the JSON strings into UTF-16 in the DOM. It also supports
surrogates and "\u0000" (null character).
JSON(JavaScript Object Notation) is a light-weight data exchange
format. RapidJSON should be in fully compliance with RFC4627/ECMA-404.
Update Information:
Fix for CVE-2024-38517.
Change Log
* Wed Jul 10 2024 Tom Hughes
References
[ 1 ] Bug #2296979 - CVE-2024-38517 rapidjson: privilege escalation via integer underflow in GenericReader::ParseNumber() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2296979
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-fb1e912d0e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label